Community discussions

 
CraftByte
just joined
Topic Author
Posts: 12
Joined: Mon Sep 12, 2016 4:38 pm

macOS Road Warrior not connecting

Tue May 14, 2019 1:18 am

I configured the Road Warrior as per wiki, works on Android and Windows, but macOS seems to be having a hard time (error: peer's ID does not match certificate):
may/14 00:07:10 ipsec,debug ===== received 604 bytes from CLIENTS_PUBLIC_IP[16074] to MY_PUBLIC_IP[500] 
may/14 00:07:10 ipsec -> ike2 request, exchange: SA_INIT:0 CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec ike2 respond 
may/14 00:07:10 ipsec payload seen: SA 
may/14 00:07:10 ipsec payload seen: KE 
may/14 00:07:10 ipsec payload seen: NONCE 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec processing payload: NONCE 
may/14 00:07:10 ipsec processing payload: SA 
may/14 00:07:10 ipsec IKE Protocol: IKE 
may/14 00:07:10 ipsec  proposal #1 
may/14 00:07:10 ipsec   enc: aes256-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha256 
may/14 00:07:10 ipsec   auth: sha256 
may/14 00:07:10 ipsec   dh: modp2048 
may/14 00:07:10 ipsec  proposal #2 
may/14 00:07:10 ipsec   enc: aes256-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha256 
may/14 00:07:10 ipsec   auth: sha256 
may/14 00:07:10 ipsec   dh: ecp256 
may/14 00:07:10 ipsec  proposal #3 
may/14 00:07:10 ipsec   enc: aes256-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha256 
may/14 00:07:10 ipsec   auth: sha256 
may/14 00:07:10 ipsec   dh: modp1536 
may/14 00:07:10 ipsec  proposal #4 
may/14 00:07:10 ipsec   enc: aes128-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha1 
may/14 00:07:10 ipsec   auth: sha1 
may/14 00:07:10 ipsec   dh: modp1024 
may/14 00:07:10 ipsec  proposal #5 
may/14 00:07:10 ipsec   enc: 3des-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha1 
may/14 00:07:10 ipsec   auth: sha1 
may/14 00:07:10 ipsec   dh: modp1024 
may/14 00:07:10 ipsec matched proposal: 
may/14 00:07:10 ipsec  proposal #4 
may/14 00:07:10 ipsec   enc: aes128-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha1 
may/14 00:07:10 ipsec   auth: sha1 
may/14 00:07:10 ipsec   dh: modp1024 
may/14 00:07:10 ipsec processing payload: KE 
may/14 00:07:10 ipsec DH group number mismatch: 2 != 14 
may/14 00:07:10 ipsec adding notify: INVALID_KE_PAYLOAD 
may/14 00:07:10 ipsec,debug => (size 0xa) 
may/14 00:07:10 ipsec,debug 0000000a 00000011 0002 
may/14 00:07:10 ipsec,debug ===== sending 38 bytes from MY_PUBLIC_IP[500] to CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec,debug 1 times of 38 bytes message will be sent to CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec,debug ===== received 476 bytes from CLIENTS_PUBLIC_IP[16074] to MY_PUBLIC_IP[500] 
may/14 00:07:10 ipsec -> ike2 request, exchange: SA_INIT:0 CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec ike2 respond 
may/14 00:07:10 ipsec payload seen: SA 
may/14 00:07:10 ipsec payload seen: KE 
may/14 00:07:10 ipsec payload seen: NONCE 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec processing payload: NONCE 
may/14 00:07:10 ipsec processing payload: SA 
may/14 00:07:10 ipsec IKE Protocol: IKE 
may/14 00:07:10 ipsec  proposal #1 
may/14 00:07:10 ipsec   enc: aes256-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha256 
may/14 00:07:10 ipsec   auth: sha256 
may/14 00:07:10 ipsec   dh: modp2048 
may/14 00:07:10 ipsec  proposal #2 
may/14 00:07:10 ipsec   enc: aes256-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha256 
may/14 00:07:10 ipsec   auth: sha256 
may/14 00:07:10 ipsec   dh: ecp256 
may/14 00:07:10 ipsec  proposal #3 
may/14 00:07:10 ipsec   enc: aes256-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha256 
may/14 00:07:10 ipsec   auth: sha256 
may/14 00:07:10 ipsec   dh: modp1536 
may/14 00:07:10 ipsec  proposal #4 
may/14 00:07:10 ipsec   enc: aes128-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha1 
may/14 00:07:10 ipsec   auth: sha1 
may/14 00:07:10 ipsec   dh: modp1024 
may/14 00:07:10 ipsec  proposal #5 
may/14 00:07:10 ipsec   enc: 3des-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha1 
may/14 00:07:10 ipsec   auth: sha1 
may/14 00:07:10 ipsec   dh: modp1024 
may/14 00:07:10 ipsec matched proposal: 
may/14 00:07:10 ipsec  proposal #4 
may/14 00:07:10 ipsec   enc: aes128-cbc 
may/14 00:07:10 ipsec   prf: hmac-sha1 
may/14 00:07:10 ipsec   auth: sha1 
may/14 00:07:10 ipsec   dh: modp1024 
may/14 00:07:10 ipsec processing payload: KE 
may/14 00:07:10 ipsec,debug => shared secret (size 0x80) 
may/14 00:07:10 ipsec,debug 550c9807 d2ac5deb 851ec1ae 59fda4cd e250f2e1 9edb711a e2441206 fa679b13 
may/14 00:07:10 ipsec,debug 4dd69f53 3071da39 ad5793ce 4c34d5fa 30320006 7cd8b419 03d3d422 2969c60e 
may/14 00:07:10 ipsec,debug 54f8fb8b 8cb28ca1 f6b59da4 9e1b78f0 94dd5410 26aa1ac2 0d482aa5 f606fa9b 
may/14 00:07:10 ipsec,debug 7958c6d2 90917435 be425246 6f5bed78 f308f5f9 56fd14bd 5c6da719 a7e21ab4 
may/14 00:07:10 ipsec adding payload: SA 
may/14 00:07:10 ipsec,debug => (size 0x30) 
may/14 00:07:10 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0080 03000008 02000002 
may/14 00:07:10 ipsec,debug 03000008 03000002 00000008 04000002 
may/14 00:07:10 ipsec adding payload: KE 
may/14 00:07:10 ipsec,debug => (size 0x88) 
may/14 00:07:10 ipsec,debug 00000088 00020000 215fc082 d6a445c4 5298a5c1 0b2bcc8d da416f94 ec731404 
may/14 00:07:10 ipsec,debug c4cf6eee 8df01dac 83187409 2ca19344 ff611cb3 2fbcb662 e565da89 ea3e62f1 
may/14 00:07:10 ipsec,debug 96931489 58779843 8abcd57d 3d921e5f 2c29ff0b 108d3d2d 0ff110ed cc2d2843 
may/14 00:07:10 ipsec,debug 3b90b140 9d9cd7e7 7d4ae29d d3581f4d 843e1c99 0e2382f4 f01b7aa9 69073421 
may/14 00:07:10 ipsec,debug 20b2af6e 4f0e5847 
may/14 00:07:10 ipsec adding payload: NONCE 
may/14 00:07:10 ipsec,debug => (size 0x1c) 
may/14 00:07:10 ipsec,debug 0000001c 90540edf 427a4001 9621d1bd 331b63dc 55fff46a d4f89f9a 
may/14 00:07:10 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
may/14 00:07:10 ipsec,debug => (size 0x1c) 
may/14 00:07:10 ipsec,debug 0000001c 00004004 20e93860 d56dd20c 2cbe33ad f615bd4a a766203a 
may/14 00:07:10 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
may/14 00:07:10 ipsec,debug => (size 0x1c) 
may/14 00:07:10 ipsec,debug 0000001c 00004005 4e032c12 e681f84f 903a1b8b e9872d86 3bfdec02 
may/14 00:07:10 ipsec adding payload: CERTREQ 
may/14 00:07:10 ipsec,debug => (size 0x5) 
may/14 00:07:10 ipsec,debug 00000005 04 
may/14 00:07:10 ipsec <- ike2 reply, exchange: SA_INIT:0 CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec,debug ===== sending 301 bytes from MY_PUBLIC_IP[500] to CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec,debug 1 times of 301 bytes message will be sent to CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec,debug => skeyseed (size 0x14) 
may/14 00:07:10 ipsec,debug c8d8b078 f4465ff6 2498bfd3 d10a49f1 1e69e267 
may/14 00:07:10 ipsec,debug => keymat (size 0x14) 
may/14 00:07:10 ipsec,debug 90928560 6c748d1a a9c1fb27 7a7856ad 3620208e 
may/14 00:07:10 ipsec,debug => SK_ai (size 0x14) 
may/14 00:07:10 ipsec,debug d6849279 ccfdbef0 983d3ccd 8127fdff 0f5ac31b 
may/14 00:07:10 ipsec,debug => SK_ar (size 0x14) 
may/14 00:07:10 ipsec,debug da2b4518 5fe5ecc5 3ea7dc97 9c805e29 6688bfc6 
may/14 00:07:10 ipsec,debug => SK_ei (size 0x10) 
may/14 00:07:10 ipsec,debug dbd9faa8 88996893 77912fdc 06452f93 
may/14 00:07:10 ipsec,debug => SK_er (size 0x10) 
may/14 00:07:10 ipsec,debug 8436e3fe b4a17b72 dc78d9e6 25f4ebac 
may/14 00:07:10 ipsec,debug => SK_pi (size 0x14) 
may/14 00:07:10 ipsec,debug bedf9347 29a0cf47 badc62ad 77349d7b 350134f3 
may/14 00:07:10 ipsec,debug => SK_pr (size 0x14) 
may/14 00:07:10 ipsec,debug b5e3b585 fe83e713 416e0b8e 3e4963a0 5bff25c4 
may/14 00:07:10 ipsec,info new ike2 SA (R): MY_PUBLIC_IP[500]-CLIENTS_PUBLIC_IP[16074] spi:07ac5662f4f8f81f:18c6f9887673eddb 
may/14 00:07:10 ipsec processing payloads: VID (none found) 
may/14 00:07:10 ipsec processing payloads: NOTIFY 
may/14 00:07:10 ipsec   notify: REDIRECT_SUPPORTED 
may/14 00:07:10 ipsec   notify: NAT_DETECTION_SOURCE_IP 
may/14 00:07:10 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
may/14 00:07:10 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
may/14 00:07:10 ipsec (NAT-T) REMOTE  
may/14 00:07:10 ipsec KA list add: MY_PUBLIC_IP[4500]->CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec,debug ===== received 1580 bytes from CLIENTS_PUBLIC_IP[16075] to MY_PUBLIC_IP[4500] 
may/14 00:07:10 ipsec -> ike2 request, exchange: AUTH:1 CLIENTS_PUBLIC_IP[16075] 
may/14 00:07:10 ipsec peer ports changed: 16074 -> 16075 
may/14 00:07:10 ipsec KA remove: MY_PUBLIC_IP[4500]->CLIENTS_PUBLIC_IP[16074] 
may/14 00:07:10 ipsec,debug KA tree dump: MY_PUBLIC_IP[4500]->CLIENTS_PUBLIC_IP[16074] (in_use=1) 
may/14 00:07:10 ipsec,debug KA removing this one... 
may/14 00:07:10 ipsec KA list add: MY_PUBLIC_IP[4500]->CLIENTS_PUBLIC_IP[16075] 
may/14 00:07:10 ipsec payload seen: ENC 
may/14 00:07:10 ipsec processing payload: ENC 
may/14 00:07:10 ipsec,debug => iv (size 0x10) 
may/14 00:07:10 ipsec,debug 0694af75 06630bd2 d74849dc 19942065 
may/14 00:07:10 ipsec,debug => plain payload (trimmed) (first 0x100 of 0x5e9) 
may/14 00:07:10 ipsec,debug 2900000c 01000000 c0a82bf5 29000008 00004000 24000008 0000400c 2700000c 
may/14 00:07:10 ipsec,debug 01000000 c14dddc9 25000108 01000000 623857b1 51e6c1a0 bd2c36e0 7b0bacc1 
may/14 00:07:10 ipsec,debug fe49dae4 e041a444 5ff84923 73326d31 e75e08de d614be52 7b3d8d56 e3bb8a35 
may/14 00:07:10 ipsec,debug ddfe91a5 9ad0c541 1608a927 07e35593 613e4659 a7c63286 2b4fffd8 7f509a49 
may/14 00:07:10 ipsec,debug 4c570707 2d9758c5 4b5bb85d fbf990e2 5d198bc8 2f1a1fa8 43ece070 b300916f 
may/14 00:07:10 ipsec,debug f4eb3185 796e8d62 d6b13307 51215575 592022d7 b75b35dd 12cc9408 17f6ceb4 
may/14 00:07:10 ipsec,debug 943859e8 0ef301c8 30c97b9c c7f7c6ed 0d631ec0 95bce87c 7c4ba82e b149657f 
may/14 00:07:10 ipsec,debug 6ffeec77 35aecd3b f50b92f7 344b9794 5920891e 7194226b f3132c30 8a450dd3 
may/14 00:07:10 ipsec,debug decrypted 
may/14 00:07:10 ipsec payload seen: ID_I 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: ID_R 
may/14 00:07:10 ipsec payload seen: AUTH 
may/14 00:07:10 ipsec payload seen: CERT 
may/14 00:07:10 ipsec payload seen: CONFIG 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: NOTIFY 
may/14 00:07:10 ipsec payload seen: SA 
may/14 00:07:10 ipsec payload seen: TS_I 
may/14 00:07:10 ipsec payload seen: TS_R 
may/14 00:07:10 ipsec ike auth: respond 
may/14 00:07:10 ipsec processing payload: ID_I 
may/14 00:07:10 ipsec ID_I (ADDR4): 192.168.43.245 
may/14 00:07:10 ipsec processing payload: ID_R 
may/14 00:07:10 ipsec ID_R (ADDR4): MY_PUBLIC_IP 
may/14 00:07:10 ipsec processing payload: AUTH 
may/14 00:07:10 ipsec processing payload: CERT 
may/14 00:07:10 ipsec got CERT: Anze Jensterle 
may/14 00:07:10 ipsec,debug => (size 0x334) 
may/14 00:07:10 ipsec,debug 30820330 30820218 a0030201 0202087e a244d0ab c6e84d30 0d06092a 864886f7 
may/14 00:07:10 ipsec,debug 0d01010b 05003018 31163014 06035504 030c0d56 45435449 47414c49 532d4341 
may/14 00:07:10 ipsec,debug 301e170d 31393035 31333230 30343530 5a170d32 30303531 32323030 3435305a 
may/14 00:07:10 ipsec,debug 30193117 30150603 5504030c 0e416e7a 65204a65 6e737465 726c6530 82012230 
may/14 00:07:10 ipsec,debug 0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b746d1c7 
may/14 00:07:10 ipsec,debug bf19401c fdc4b07d df7b3ccd 4641a8aa 376972a8 8ef73029 8941c2c2 f81080ee 
may/14 00:07:10 ipsec,debug 6a3866c7 aeff3e0a 769216b0 35c011d2 d6edc484 8fb08728 58a0c0d9 55714b58 
may/14 00:07:10 ipsec,debug 98d266d7 bd96e677 d77754d7 7aeecc61 c577446b b337f2e9 cdb7dcd8 1ae4f83a 
may/14 00:07:10 ipsec,debug 
may/14 00:07:10 ipsec,debug 015af42b 99e0527f b2848f5d d85fce42 7638a43c 3bff2c39 30007619 5f9ae18d 
may/14 00:07:10 ipsec,debug 92e5ce40 d2c7bc4b e47e4886 063bcc25 032bebca 0932c6df fc65bd0d 936f2d99 
may/14 00:07:10 ipsec,debug 49b40eb7 3ed5ff50 6524fad3 fb031691 8b6894ed dc151fa0 98b7031e ffbdc542 
may/14 00:07:10 ipsec,debug 98b37f14 7886bad0 5aa6475b c947a57c ca476874 4690a0c1 aca3bcfd 5a17fa02 
may/14 00:07:10 ipsec,debug 040074c0 d0ede069 519c5534 c65a4de5 220b4c4f 35774a8c 27e36af3 02030100 
may/14 00:07:10 ipsec,debug 01a37d30 7b301306 03551d25 040c300a 06082b06 01050507 0302301d 0603551d 
may/14 00:07:10 ipsec,debug 0e041604 14a7a25f be984ee2 0964e6d4 f07ec9a7 366eb3d6 15301f06 03551d23 
may/14 00:07:10 ipsec,debug 04183016 80142ab0 361451e8 9edc5a3b 3d5bd7ad 5150c96c 634a3024 06096086 
may/14 00:07:10 ipsec,debug 
may/14 00:07:10 ipsec,debug 480186f8 42010d04 17161547 656e6572 61746564 20627920 526f7574 65724f53 
may/14 00:07:10 ipsec,debug 300d0609 2a864886 f70d0101 0b050003 82010100 2afa0862 e862ee3a ce80aa42 
may/14 00:07:10 ipsec,debug 4b9814e4 42ccc825 a70700f5 10144deb 0f7dc3d7 f2c19e4f 0027c504 3231f2b7 
may/14 00:07:10 ipsec,debug c484e15c 0b646268 c53f792a 0fd356bf ab8af20c 8965d20b 0adb2a3b 66dc2364 
may/14 00:07:10 ipsec,debug 61d2ba1a c32472ab 357e88ae 2b49a40e e3d67af0 bdf44645 1f677b0b 538bec55 
may/14 00:07:10 ipsec,debug 8870bfe7 491b735b ccdb69bf 8f5a4c77 4450eb3b a03770ad b4f59a7a 3ecf6cc9 
may/14 00:07:10 ipsec,debug 77f26ffa 2584fcf8 017e143b 21b5e13b 6524c58e fe6be4e0 286ec3cc 16f29198 
may/14 00:07:10 ipsec,debug 687b6a27 db869586 84b3409b e89b80f0 dc722009 c6626a46 913af3c0 2a5178d5 
may/14 00:07:10 ipsec,debug 
may/14 00:07:10 ipsec,debug 7a46a085 a56148fd a6511bf3 99c5db2a fc04b196 471a9089 34b91139 510e9e66 
may/14 00:07:10 ipsec,debug 88c6dc00 6a0e0da4 26a447d0 419a8c87 1768992d 
may/14 00:07:10 ipsec processing payloads: NOTIFY 
may/14 00:07:10 ipsec   notify: INITIAL_CONTACT 
may/14 00:07:10 ipsec   notify: MOBIKE_SUPPORTED 
may/14 00:07:10 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
may/14 00:07:10 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO 
may/14 00:07:10 ipsec processing payload: AUTH 
may/14 00:07:10 ipsec,debug => peer's auth (size 0x100) 
may/14 00:07:10 ipsec,debug 623857b1 51e6c1a0 bd2c36e0 7b0bacc1 fe49dae4 e041a444 5ff84923 73326d31 
may/14 00:07:10 ipsec,debug e75e08de d614be52 7b3d8d56 e3bb8a35 ddfe91a5 9ad0c541 1608a927 07e35593 
may/14 00:07:10 ipsec,debug 613e4659 a7c63286 2b4fffd8 7f509a49 4c570707 2d9758c5 4b5bb85d fbf990e2 
may/14 00:07:10 ipsec,debug 5d198bc8 2f1a1fa8 43ece070 b300916f f4eb3185 796e8d62 d6b13307 51215575 
may/14 00:07:10 ipsec,debug 592022d7 b75b35dd 12cc9408 17f6ceb4 943859e8 0ef301c8 30c97b9c c7f7c6ed 
may/14 00:07:10 ipsec,debug 0d631ec0 95bce87c 7c4ba82e b149657f 6ffeec77 35aecd3b f50b92f7 344b9794 
may/14 00:07:10 ipsec,debug 5920891e 7194226b f3132c30 8a450dd3 fca301cb 0e1af983 4db322e2 09a066a1 
may/14 00:07:10 ipsec,debug 9558ea5b c7225019 31531a6f 1d25a6f2 3d26c414 64a14520 ea6a7746 81be2c38 
may/14 00:07:10 ipsec,error peer's ID does not match certificate 
may/14 00:07:10 ipsec reply notify: AUTHENTICATION_FAILED 
may/14 00:07:10 ipsec adding notify: AUTHENTICATION_FAILED 
may/14 00:07:10 ipsec,debug => (size 0x8) 
may/14 00:07:10 ipsec,debug 00000008 00000018 
may/14 00:07:10 ipsec <- ike2 reply, exchange: AUTH:1 CLIENTS_PUBLIC_IP[16075] 
may/14 00:07:10 ipsec,debug ===== sending 220 bytes from MY_PUBLIC_IP[4500] to CLIENTS_PUBLIC_IP[16075] 
may/14 00:07:10 ipsec,debug 1 times of 224 bytes message will be sent to CLIENTS_PUBLIC_IP[16075] 
may/14 00:07:10 ipsec,info,account peer failed to authorize: MY_PUBLIC_IP[4500]-CLIENTS_PUBLIC_IP[16075] spi:07ac5662f4f8f81f:18c6f9887673eddb 
may/14 00:07:10 ipsec,info killing ike2 SA: MY_PUBLIC_IP[4500]-CLIENTS_PUBLIC_IP[16075] spi:07ac5662f4f8f81f:18c6f9887673eddb 
may/14 00:07:10 ipsec KA remove: MY_PUBLIC_IP[4500]->CLIENTS_PUBLIC_IP[16075] 
may/14 00:07:10 ipsec,debug KA tree dump: MY_PUBLIC_IP[4500]->CLIENTS_PUBLIC_IP[16075] (in_use=1) 
may/14 00:07:10 ipsec,debug KA removing this one... 
/ip ipsec mode-config
add address-pool=pool-vpn name=ipsec-vpn split-include=192.168.137.0/24
/ip ipsec policy group
add name=RW-VPN
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 name=ipsec-RW
/ip ipsec peer
add exchange-mode=ike2 name=ipsec-RW-VPN passive=yes profile=ipsec-RW send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=none
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=ipsec-RW-VPN pfs-group=none
/ip ipsec identity
add auth-method=rsa-signature certificate=router-hq-VPN,ROOT-CA generate-policy=port-strict mode-config=ipsec-vpn peer=ipsec-RW-VPN policy-template-group=RW-VPN
/ip ipsec policy
add dst-address=172.16.1.0/24 group=RW-VPN src-address=192.168.137.0/24 template=yes
 
sindy
Forum Guru
Forum Guru
Posts: 3019
Joined: Mon Dec 04, 2017 9:19 pm

Re: macOS Road Warrior not connecting

Tue May 14, 2019 10:34 am

may/14 00:07:10 ipsec processing payload: ID_I
may/14 00:07:10 ipsec ID_I (ADDR4): 192.168.43.245
...
may/14 00:07:10 ipsec processing payload: CERT
may/14 00:07:10 ipsec got CERT: Anze Jensterle


What is the subject-alt-name of the certificate you've generated for the macOS device (which is unfortunately not shown in the log and also not available in the hex dump of the decrypted packet because it has been truncated too short)? If it is different from IP:192.168.43.245, it must fail.

See the wiki: In case when the peer sends certificate name as its ID, it is checked against the certificate, else the ID is checked against Subject Alt. Name.

It is also possible that the macOS device has chosen a different certificate than you intended it to use.

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
CraftByte
just joined
Topic Author
Posts: 12
Joined: Mon Sep 12, 2016 4:38 pm

Re: macOS Road Warrior not connecting

Tue May 14, 2019 11:30 pm

Ah, that would be it then, looks like mac does not send the cert name for some reason. I will add it as a SAN and make a new cert.

Who is online

Users browsing this forum: Google [Bot] and 68 guests